Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AWS re:Inforce 2019

426 views

Published on

With Amazon EC2, Amazon EBS, Amazon S3, AWS KMS, and more, Intuit’s data platform was able meet the requirements of high availability and rapid infrastructure scaling for 100 percent of the tax year’s seasonal demands. In this session, Intuit answers questions such as: Which portions of a complex system can be forklifted directly? Which need to be reengineered? How can highly sensitive data be migrated and stored securely in AWS? Are operational best practices in AWS different than those on premises? Intuit shares its strategy for establishing sufficient confidence in your business partners and delivering 100 percent product uptime.

  • Be the first to comment

  • Be the first to like this

Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AWS re:Inforce 2019

  1. 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Tax returns in the cloud: The journey of Intuit’s data platform Amit Matety Principal Software Engineer Intuit S D D 3 3 0 Ben Covi Staff Software Engineer Intuit
  2. 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  3. 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  4. 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  5. 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Intuit data platform • Multi-tenant platform for storing Intuit customers' data • Supports key-value and document store use cases • Managed service that provides out of the box: • Access control • Encryption • Auditing • Data lifecycle management • Multi-modal integrations • Analytics integrations • High availability/disaster recovery • Supports the TurboTax ecosystem and other critical experiences within Intuit
  6. 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Intuit data platform - logical architecture
  7. 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  8. 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Principles • Highly available and secure • Never lose data • Keep it simple • Leverage existing patterns • Refactor to accelerate • Automate everything
  9. 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Big boulders • Technology evaluation • Security strategy • Porting the application • Operations • HA/DR strategy • Data migration
  10. 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Technology evaluation Corporate data center AWS Application server hosting VM Amazon EC2 Key-value store Cassandra on Bare Metals Cassandra on Amazon EC2 + EBS Document store IBM Cleversafe Amazon S3 Encryption provider Gemalto SafeNet Intuit Data Protection Service (IDPS) + KMS
  11. 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security strategy https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
  12. 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security strategy • Infrastructure • Data handling • Partitioning • Access • Threat modelling • Pen testing
  13. 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security strategy - infrastructure • Intuit Cloud Operations • Deploys accounts, Amazon VPCs, subnets • Patterns are enforced during onboarding • We deploy into this structure • Application • Datastore
  14. 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security strategy - infrastructure
  15. 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security strategy - infrastructure
  16. 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security strategy - infrastructure
  17. 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security strategy - infrastructure
  18. 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security strategy - infrastructure
  19. 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security strategy - infrastructure
  20. 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security strategy - infrastructure
  21. 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security strategy - data handling • What data will you encrypt? • Classify your data: Public, Restricted, Sensitive, Highly Sensitive, Secret • Where will you encrypt the data? • Application Level Encryption • Encryption At Rest • Application Level Encryption (ALE) • Intuit Data Protection Service (IDPS) • Symmetric-key encryption • AES-256 • Probabilistic • Key rotation • Re-encrypting old data • Encryption At Rest • AWS KMS
  22. 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security strategy - what is Intuit data protection service? • Intuit’s key management/HSM solution • Features • Generation and secure storage of high-quality cryptographic keys and application secrets • Encryption and decryption with symmetric and asymmetric algorithms • Key versioning • Support for a large number of keys, rapid key rotation, and re-encryption • Access control • Policy-based authentication
  23. 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security strategy - partitioning Business unit Functional group Key-value store Table Document store Amazon S3 bucket
  24. 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security strategy - access • Platform runtime • Strict ‘NO’ on usage of access and secret key • ONLY instance profile based access • Policy rules to restrict access • AWS region • AWS service • IAM Role • Amazon VPC • Resource operations • Platform operations • ‘Olympus’ for all human access • What is ‘Olympus’? • AWS access management tool for Intuit workforce • Integrated with IAM to provide predefined roles to workforce users • Read only • Application operations • Power user • SSH access • Ability for teams to create custom role mapping on a need basis • Provides out of box capabilities like security monitoring, audit, and compliance
  25. 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security strategy - threat modelling Attack vectors Initial risk summary Mitigation controlsResidual risk summary Playbook crawl/walk/run
  26. 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security strategy - pen testing • What? • External testing • Assets visible on the internet • Internal testing • Assets behind the firewall • Who? • Internal security team • External vendor • Collaboration
  27. 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Operations - continuous deployment • Secure SDLC Tools in the CICD Pipeline • Threat modeling, static analysis, composition analysis, interactive application security testing • Code, artifacts, dependencies all scanned • Restricted orchestration • Jenkins runs the pipeline from a separate account, deploys with Terraform • Temporary AssumeRole creds are used to silo access to other accounts • The target role is limited in scope • Mandatory restacking • Intuit generates baseline AMIs, monitors their use • AMIs deprecated every 30 days • Cert and key rotation
  28. 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Operations - monitoring • Centralized logging and monitoring • Bastion logs indexed by Splunk • Named Olympus sessions authenticated by CA • Security visibility • Agent baked into the Baseline AMI, forwards events for analysis • Policy engine • Framework for Cloud Custodian, uses AWS Lambda and Amazon CloudWatch via cross-account roles • Alerts account owners to rule violations • Deprecated libraries • The SSDLC tools in the pipeline all generate reports • Deprecated AMIs • Central database of baseline images, instance IDs
  29. 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  30. 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lessons learnt • Identify the biggest blockers to adoption and address them first • Identify and plan for the long poles • Security related testing, monitoring and alerting should never be an afterthought • Business continuity planning is a cornerstone to a successful migration • Prepare your team • Learn and optimize along the way
  31. 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Three key takeaways • Security strategy is ever evolving • Automation should never be an afterthought • Leverage your partnership with AWS
  32. 32. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

×